A common question asked about web vulnerability scanners is – “does this tool perform invasive scans?”, or “will it damage my website or web application?”. Such questions are common since black-box scanners tend to cause email floods, as well as publishing of garbage blog posts and comments on blogs. If the automated scanner is configured to access a database-driven CMS administrator interface, the chances of garbage data being injected into the database or — even worse — records being deleted and damaging a live web application, are indeed very high.

Why does it happen?

Automated web application security scanners are designed to send data that the target web application cannot handle. In reality though, the automated scanner is only following a number of links and forms (e.g. a link in an administrator interface could lead to a deletion of a database record) and trying to submit bogus data, of which the end result could lead to vulnerability. This is why it is always important to launch such scans against test or simulated environments. If a test environment is not available, it is highly suggested to ensure a robust backup and restore procedure is in place for critical data to be restored quickly should anything go wrong.

So, what does a non-invasive scan do?

Some automated scanners include settings designed to help you launch a non-invasive scan against your target; but don’t be fooled by the ‘non-invasive scan’ term. A non-invasive scan will only tickle your website or web application, and will not dig deep enough to check for real security issues. for instance, a non-invasive scan will not launch parameter manipulation tests, such as SQL Injection and XSS attacks (invasive security tests), which are two of the major web applications security treats. A non-invasive scan will only launch some very basic “security” tests against the target, such as text searches, file checks, version checks and some other basic tests, which typically do not lead to a malicious defacement of the site or web application.

Therefore, as you might have already concluded for yourself, a non-invasive scan is more of a marketing term used by software vendors to sell their products with a sense of false security, than an actual useful security feature. What use is there in running a non-invasive scan against a web application if the final goal of the scan is to properly secure a web application?